Oddbean new post about login | logout A lot are still usermode hooks. Some are mixed. For example, CarbonBlack has some kernel level drivers for file and network detections, but its prevention policies all operate as usermode hooks. https://github.com/Mr-Un1k0d3r/EDRs